Hackers Can Steal 2fa Codes and Private Messages From Android Phones
Posted3 months agoActive3 months ago
arstechnica.comTechstoryHigh profile
calmnegative
Debate
70/100
Android Security2fa VulnerabilitySide-Channel Attack
Key topics
Android Security
2fa Vulnerability
Side-Channel Attack
A new side-channel attack allows hackers to steal 2FA codes and private messages from Android phones, sparking discussion on the security implications and potential mitigations.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
4m
Peak period
40
0-3h
Avg / period
6.8
Comment distribution82 data points
Loading chart...
Based on 82 loaded comments
Key moments
- 01Story posted
Oct 13, 2025 at 7:49 PM EDT
3 months ago
Step 01 - 02First comment
Oct 13, 2025 at 7:54 PM EDT
4m after posting
Step 02 - 03Peak activity
40 comments in 0-3h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 15, 2025 at 10:45 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45574613Type: storyLast synced: 11/20/2025, 2:55:49 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
Yes.
Because we're not comparing air nailers or electric nail guns or screw guns. It was about a hammer.
Your comparison is so ridiculous because the table saw did not obsolete any other kind of saw. It was only a new type of saw that allowed for some types of sawing to be done much easier.
The saw stop wasn't a replacement for manual saws. Table saws existed (and still exist!) and have a nasty habit of removing people's fingers. The saw stop was designed as a better table saw.
The point being that it's wild to start with the idea that hammers must be a danger to thumbs, and then double down by trying to claim that any hammer that wasn't a danger to thumbs wouldn't be called a hammer. Getting a table saw with a saw stop on it doesn't make it not a table saw.
If you've ever used a hammer, a tool that has been around for tens of thousands of years, you will know by it's very nature of its operation it is a danger to thumbs. Trying to think that you can do "on an iPhone" and start with the assumption that a hammer fulfilling the functions and utility that it has and has had for 10,000 years cannot be a danger to thumbs is an erroneous thought and it shows the height of hubris.
Can you have tools that fulfill some of the functions of the hammer that are not dangerous to thumbs? Absolutely and we have those already. Any of the automatic nailers have built-in safety features to prevent accidents. Sometimes people disable those safety features because they do cause problems in legitimate use cases but they are built with those safety features. This would be analogous to saw stop which works in table saws which is a very limited saw.
Just like a table saw cannot fulfill all of the functions of a hand saw. A device that pounds nails or other things that has features to prevent it from accidentally hitting thumbs would not be able to fulfill all of the functions of the hammer.
From what we've seen with saws, this is your example not mine, all of the electric saws that have ever been built have never been able to eliminate the usefulness or utility of the simple handsaw which is dangerous to use. So where is the hubris to say that because you can invent a safer nailing device, which they have, it will somehow supplant and replace the hammer? The evidence says that's not the case.
Just because we use table saws to rip lumber or massive table saws to cut up trees into lumber doesn't mean that no one could have created lumber prior to the invention of the table saw. We just factually know that's not true. Faster, easier, better, absolutely but all of it could be done and was done with hand saws. Maybe you're thinking the hand saw is limited to this simple hand saw that we have now or a simple Japanese hand saw and not the actual large hand saws that took two people to operate but are still hand saws that come with all of the dangers of the hand saw.
https://www.youtube.com/watch?v=oQu3ccfl7Ow
Or you would yell at a cloud?
If you want to compare the hammer to something that saws you would compare it to a handsaw. Show me the hand saw that cannot damage your fingers.
You must think you're very smart but I don't think you've done any manual labor in your life. Because the table saw never obsoleted any other type of existing saw. It was simply a new tool that enhanced the ability to do certain types of sawing. The more you limit a function of something the easier it is to put guardrails around it. That was the original poster's point. You can limit Android to the point that it is nearly useless or useless only for the most basic of tasks but then you remove the power of it but you do not remove the need for all of the other tasks.
Table saws with saw stop still necessitate hand saws in some circumstances. Power nailers that have safety features that prevent their discharge and unsafe ways do not obsolete hammers.
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
I also think iOS is more of an opinionated 'set of shears'. E.g. 'Right Hand only Scissors made from proprietary parts, made to only cut objects that 80% of scissor users need to cut' if we were to go down the road of analogies.
Funnily enough Google Android is removing the ability for unsigned non-adb APKs. I would suggest your 'regular' scissors will be slightly bluntened in the upcoming Android 16 OS release.
I think this is the part people are upset about
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
The obvious joke, how long has Facebook been using this exploit?
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
Motorola are assholes and now prevent you from using pm to disable any of their malware loader apps on most of their phones.
The article mentions that "the attacker renders something transparent in front of the target app". I would have thought that sort of thing would require the "appear on top" permission.
They were caught exfiltrating data fron phones, with no visible Facebook app installed, only the background one.
First it requires the user take buckets of ammonia and bleach and mix them together.
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
This doesn't apply in this case, as (usermode apps') screen capturing does require permission, and applications can specifically opt-out from being captured by apps even with that permission, which Google Authenticator does have set. So a trust boundary is being violated, therefore this is a legitimate security issue by his logic.
Edit: IIRC the original argument was more reasonable, but it has since been abused in all kinds of situations to make low effort putdowns, like this one.
Side channel attack is not a novel idea, just not used to find Android bugs like this.
Yes, but "side channel attack" isn't much of a description, is it? You can't just declare "I make a side channel attack!"[1], you need to invent one.
In this case it turns out that the hardware rendering of the zoom animation in the blur effect of stacked activities on the screen left crumbs that can be detected in the alien context. I certainly didn't know that. Did you know that? I don't think anyone knew that! It's "novel".
[1] Shades of Michael Scott declaring bankruptcy.
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
Also, this is the direct paper link: https://www.pixnapping.com/pixnapping.pdf
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
Essentially the dumping strategy of open source that Apple has been doing for years.
Read the LineageOS blog article for more details on why stripping history and publishing only a tarball might be seen as the most stupid development practice ever.
[1] https://lineageos.org/Changelog-30/
[2] GrapheneOS discussion about embargo https://news.ycombinator.com/item?id=45158523
I'm not sure you are aware that the embargo references an NDA that you have to sign in order to get the updated sources/patches before the 3-months delay until it is released to the public.
Then guess what an NDA has to do with the condition of "being allowed" or "not being allowed" to publicly disclose a security bug that you've found.
[1] https://android.googlesource.com/platform/docs/source.androi...
Clever and evil.
> 2. Attacker app opens Google Authenticator's main activity
> 3. Attacker app opens a stack of activities to include graphical operations on pixels displayed by Google Authenticator's main activity
Android allows apps to call other apps? While remaining in the foreground? How does that work? I don't think iOS allows this.
From the paper:
Recall from Section 2.1 that when a caller activity sends an intent to a callee activity, Android moves the callee activity to the foreground (along with its task’s back stack if android:-launchMode="singleTask") and moves the caller activity to the background.
However, despite no longer being in the foreground, the caller activity is still allowed to send intents that start additional activities from the background. For example, the caller activity can send another intent to launch a second callee activity.
In this case, the second callee moves to the foreground, while the first callee is moved to the background. Further, SurfaceFlinger treats the window of the second callee as being overlaid in front of the window of the first callee.
In our framework, the attacker app leverages this behavior to layer a stack of semi-transparent activities in front of a newly launched victim activity. In the following, we describe how the attacker uses this stack and SurfaceFlinger’s APIs to isolate, enlarge, and transmit individual pixels from the victim activity.
The patch was committed about 3 months ago, possibly available to OEMs as binary earlier, but devices are probably just receiving these patches.
I bet at least half of all affected Android devices in the world have not got the patch yet if I am optimistic. It's probably near 80-90%.
... has not been (effectively) patched against, as it happens. Maybe in December!
Wayland, once hardened with security-context doesn't directly expose anything worrying (clipboard stealing is possible but would require window focus or the generation of a window which grabs focus). It remains to be seen if there are side-channels hiding somewhere in it or in the various GPU stacks.
Side channels are why we can't have nice things.
Can I assume this is being exploited in the wild? Some black hats must be smart enough to figure out the workaround on their own.